Ever since I saw Marc Stiegler's demo of CapDesk at the O'Reilly Emerging
Technologies Conference in 2002 [1], I stopped being excited about
capabilities. Instead, I became excited about *whatever technology* could be
used to implement the functionality that MarcS demoed. If some ACL-based
technology could do that, then I would be excited about it. If it turns out
that no real capability system can enforce various kinds of confinement [2],
but that it can still implement MarcS's demo, then I'm still excited about it.
In that demo, MarcS downloaded a text-editor caplet from "texteditors-R-us.ru",
and used it to edit a precious file, by clicking "File -> Open" and specifying
which file to load. After changing some of the contents of the file, he
clicked "File -> Save As" and specified the filename under which to save it.
The text-editor caplet was prevented by CapDesk from reading any files other
than the one that the user specified in "File -> Open", and it was prevented
from writing to any files other than the one that the user specified in "File
-> Save As". All of this is possible without Lampson confinement [*].
Now MarcS also demoed something that isn't possible without some confinement,
specifically that CapDesk prevented the caplet from leaking the contents of the
file out to the authors of the caplet. This might not be possible in practice
(or it might), but in any case the demo is compelling to me even without that
feature.
Regards,
Zooko
P.S. I wanted to find page [2], so I googled for "confinement capability".
Google returned a post by MarkM written in Nov 1999: [3]. It is eminently
relevant to the current discussion, from which MarkM is regrettably absent.
[*] Unless, of course, some other object on the system has the data from one of
the non-allowed files and leaks it to the "text-editor" caplet. I hope it
is as obvious to everyone else as it is to me that this possibility should
not be interpreted as erasing the benefits of CapDesk's access-limiting
"File -> Open" dialog.
[1] http://conferences.oreillynet.com/cs/et2002/view/e_sess/2223
[2] http://www.erights.org/elib/capability/confinement.html
[3] http://www.eros-os.org/~majordomo/e-lang/1011.html